Transcript Linux Security

Linux Security
資管研究生 劉順德
Outline
• General Security
–
–
–
–
Account
Local
Network
Patch
• Services Security
–
–
–
–
Sendmail
BIND/DNS
Apache
FTP
• Recent Linux security information
– Linux worm
General Security
• Account
–
–
–
–
The password length
Set login time out for root account
Special account
Blocking anyone to su to root
General Security
• Local
–
–
–
–
–
–
Find all files with SUID/SGID bit enabled
Local login access control
More control on mounting a file system
Fix the permissions under “/etc/rc.d/init.d”
Resource limits
Integrity Checking
General Security
• Network
– Use xinetd
• An program to replace inetd and tcp wrapper
– Routing Protocol
• Disable source routing
– Enable TCP SYN Cookie Protection
• Echo 1> /proc/sys/net/ipv4/tcp_syncookies
– Clear issue file
General Security
• Patch
– Patch information :
• http://www.redhat.com/support/errata/
– Download
• ftp://updates.redhat.com/
– Integrity Check
• rpm –checksig <PatchFile>
– Install :
• Rpm –Uvh <PatchFile>
Securing Sendmail
• The Sendmail restricted shell “smrsh”
• The “/etc/aliases” file
• Prevent your sendmail being abused by
unauthorized users
• Restrict who may examine the queue’s
contents
• Set the immutable bit on important
sendmail files
Securing BIND/DNS
• Running BIND/DNS in a chroot jail
bin
boot
cache
chroot
dev
etc
home
lib
lost+found
mnt
proc
root
sbin
tmp
var
usr
named-------------dev
etc
lib
usr
var
our chroot jail that host BIND/DNS
server and owned by the user
"named"
Securing Apache
• Change some inportant permission file and
directories of your web server
• Automatic indexing
• Create the .dbmpasswd password file for users
authentication
• Immunize important configuration file like
“httpd.conf”
• Running apache in a chroot jail
• Configuration of the new “/etc/logrotate.d/apache”
file
Securing FTP server
•
•
•
•
•
The ftpusers file
The anonymous FTP program
The upload command
The special file “.notar”
The noretrieve command
Recent Linux security information
• Linux worm
– Radmen (infect Redhat6.2 & 7.0)
– Lion (infect Bind 8.2.x )
• The Same features
– According an Vulnerability to attack
– The same work flow
Logging ip
Syn scan
infect computer
attack
ftp
Class B Domain
Vulnerability computer
Reference
•
•
•
•
www.securityfocus.com
Securing and Optimizing RedHat Linux
Maximum Linux security
Linux security How-To